CyberInsecure.com

Archive for the ‘Hacked’ Category

Security researchers from Websense warn that over one hundred websites hosted at Media Temple (mt) have been injected with rogue code that lead visitors to a potent Web exploitation kit. The toolkit targets a dozen vulnerabilities in older versions of Flash Player, Adobe Reader, Internet Explorer or Java Runtime.

The mass compromise was detected by Websense’s ThreatSeeker Network, and even though the affected websites are hosted at Media Temple, this does not imply any security problems with the hosting company’s servers or infrastructure. Similarly to other hosting providers, Media Temple has had its share of compromised websites under its roof in the past and this is because hackers systematically scan entire address spaces for vulnerable targets, before proceeding to infect them.

A large number of the websites compromised in this latest attack (46%) are running WordPress, but again, this does not suggest any unpatched vulnerability in the popular blogging platform. The Websense security researchers note that most likely the injections are the result of flaws in outdated third party software.

The rogue code added to the compromised websites is obfuscated JavaScript, generates and directs users to one of malicious malicious URLs. “Using the algorithm [...], we generated 64 URLs […] and find there are 2 different scripts. One is very simple with an anti-bot trick so it won’t be crawled by search engines. […] The other is highly obfuscated, and finally redirects to an exploit kit called Phoenix,” the Websense experts explain.

An exploit kit is a collection of exploits for vulnerabilities affecting various applications that are usually found on most people’s computers. At the moment, the Phoenix kit targets two flaws in Adobe Flash Player, five in Adobe Reader, three in Internet Explorer and two in the Java Runtime Environment, however, these could change in the future.

In order to stay protected from such threats users are advised to always keep their applications up to date and run a capable antivirus program on their computers. Free specialized programs like the Personal Software Inspector (PSI) from Secunia, can monitor most programs installed on a computer and alert the owner as soon as any updates for them are available.

Credit: Softpedia.com News

Security researchers warn that various domains in the .gov space had their DNS hijacked and are hosting pages that redirect users to adult websites. The hijacking seems to be part of a scheme to push FLVDirect adware.

Apparently, FLVDirect affiliates are abusing several government domains, including, but not limited to yanceycountync.gov, uppersiouxcommunity-nsn.gov, woodfin-nc.gov, dumontnj.gov and emporia-kansas.gov to trick users into downloading and installing adware on their computers. The attackers have managed to create sub-domains of the form tubes-####.* (where # is a single digit) on all of the affected domains.

“It looks like their DNS has been hijacked and those sub domains point to servers that are not under their control,” researchers from Sunbelt Software, who analyzed the attack, write. Pages hosted on the rogue sub-domains are riddled with keywords and being used in a black hat search engine optimization (BHSEO) campaign to poison search results for queries related to adult content. Such techniques are commonly employed by cyber crooks to infect unsuspecting users looking for information on current events with scareware.

Visiting any of the pages hosted on the rogue sub domains redirects users to either a FLVDirect affiliate site promising hundreds of hours of adult videos for free or an adult dating community. FLVDirect is well known piece of adware – an application designed to display unsolicited ads once installed on a computer.

“Adware:Win32/FlvDirect is the detection for a file that installs the program ‘FlvDirect Media Player’. This program is usually bundled with another adware program detected as Adware:Win32/LoudMo. These installers contain an ID, which can be monitored; the more installers are deployed, the more an affiliate company is paid for deploying the installer,” Microsoft explains.

All the sub-domains appear to be hosted on a server responding to 66.49.238.80. This IP address belongs to a company called Canaca-com Inc, which sells Web hosting and VPS hosting services.

Credit: Softpedia.com News

The Pirate Bay has been compromised by an Argentinean hacker who made off with usernames, email and internet addresses of more than four million people signed up to the BitTorrent tracker site.

KrebsOnSecurity.com reported yesterday that Ch Russo broke into TPB’s system and grabbed the info from the notorious website, which might amuse some pro-copyright groups.

Russo had considered selling the private data, but in the end decided to go public about TPB’s shaky security credentials. He accessed the information via the site’s user database by exploiting its weakness to SQL injections.

“We wanted to tell people that their information may not be so well protected,” Russo said.

Meanwhile, it may be a coincidence, but The Pirate Bay is currently out of action and carried the following message:

“Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

At this moment the website appears to be offline.

Credit: The Register

The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers.

According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo’s download website since Saturday.

The IFrame points to an exploit kit hosted on a domain called volgo-marun.cn. After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player.

“These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer. The virus is a new variant of Bredolab Botnet […]. After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com,” Le Minh Hung, senior security researcher at Bkis, writes.

At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire download.lenovo.com subdomain has been blacklisted by Google’s Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it.

“Of the 46 pages we tested on the site over the past 90 days, 39 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-06-20, and the last time suspicious content was found on this site was on 2010-06-20. Malicious software includes 1 trojan(s). Malicious software is hosted on 1 domain(s), including volgo-marun.cn/,” a detailed explanation of the Google warnings reads.

Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place.

Credit: Softpedia.com News

More than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirected visitors to a website that attempted to install malware on their machines.

The mass compromise appears to have affected sites running a banner-ads module on top of Microsoft’s Internet Information Services using ASP.net, said David Dede, head of malware research at Sucuri, a website monitoring firm. Intljobs.org, The Wall Street Journal’s wsj.com, The Jerusalem Post, tomtom.com.tw and the police department website for UK county of Strathclyde have been hacked.

Google searches on Tuesday indicated more than 100,000 pages were infected, Dede said, but that number had shrunk to about 7,750 at time of writing.

The sites were infected using SQL injection exploits, which allow attackers to tamper with a server’s database by typing commands into search boxes and other user-input fields. The hackers used the exploit to plant iframes in the compromised sites that redirected visitors to robint.us. Malicious javascript on that site attempted to infect end users with malware dubbed Mal/Behav-290 according to anti-virus firm Sophos.

Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out, spokesman Andre’ M. Di Mino said in an email. He said the details would be published soon.

The SQL injection attacks came from Chinese IP address 121.14.154.69, Dede said. Robint.us was registered to a Dongguan Wanjian of Dongguan, China, according to whois records. Dede said he is still trying to determine the module that is being compromised in the mass hack attack.

Credit: The Register

E-commerce company Digital River exposed data belonging to almost 200,000 individuals after hackers executed a “highly unusual search command” against its secured servers, according to a news report.

The breach came to light only after a 19-year-old New York man allegedly tried to sell the purloined data for as much as $500,000, The Minneapolis Star-Tribune reported Friday. After Eric Porat made repeated attempts to persuade a company called Media Breakaway to buy the information, company officials alerted their counterparts at Digital River, the paper reported, citing court documents. A federal grand jury is investigating the matter with help from the FBI.

The data contained names, email addresses, websites, and unique user-identification numbers for 198,398 individuals. It was originally gathered by affiliated marketing companies using software offered by Digital Rivers subsidiary Direct Response Technologies and stored on password-protected servers.

It was stolen in late January using a “highly unusual” search command. The report didn’t elaborate.

Porat, who lives at home with his parents, allegedly claimed to offer the data to the highest bidder. He told the CEO of Media Breakaway he obtained it from a former Digital River consultant, who managed to siphon it off the servers when security systems were taken down temporarily.

Orders filed under seal last month block Porat from selling, destroying, altering, or distributing the data. Documents in the case were unsealed on Wednesday, but court documents weren’t available online at time of writing.

Credit: The Register

Anti-virus company Symantec has discovered a server hosting the credentials of 44 million user accounts stolen from at least 18 different online games.

Symantec, best known as the maker of the Norton software line, stumbled on the server while analyzing a user-submitted sample of code. What apparently got the company’s attention wasn’t the sheer size of the database but the creative way in which it went about validating each account.

“What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck,” researcher Eoin Ward wrote on Symantec Connect. “By taking advantage of the distributed processing… you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck’s creators have done.”

“If the Trojan succeeds in its task of logging in, it will update the database with the time it logged in and any user credentials (such as current game level, etc.) before moving to the next user name and password,” he continued. “The attackers can then log on to the database and search for the valid user name and password combinations.”

The database holds approximately 17GB of “flat file data” from at least 18 different games, including roughly 60,000 Aion accounts, 210,000 World of Warcraft accounts, two million NCsoft accounts (shared across multiple games like Lineage 2, Guild Wars and City of Heroes) and 16 million Wayi Entertainment accounts. Determining the value of the data is “extremely difficult,” Ward wrote, because each account may have only a single, first-level character “whose only weapon is a rusty old spoon,” or multiple high-level characters with maxed-out equipment.

“This particular database server we uncovered seems very much to be the heart of the operation - part of a distributed password checker aimed at Chinese gaming websites,” Ward wrote. “The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games.”

Credit: escapistmagazine.com

Hackers in Miami targeted an electric billboard placing the slogan “No Latinos No Tacos” on a flashing construction sign on a major roadway in south Florida.

The sign was supposed to be displaying a message warning drivers that the coming exit was closed to traffic.

Officials attempted to change the text on the sign back to its intended message, but were unable to do so and were forced to simply turn off the sign. Miami police are investigating the incident.

South Florida is a heavily Latin influenced region of the United States. The city of Miami is an international city with Latinos coming from across Latin America.

Although some were offended, many simply brushed off the occurrence recognizing that the Latino population is the majority.

Credit: RT.com

A subtle defacement of the website of electronics manufacturer Foxconn has drawn further attention to an alarming spate of worker suicides at a plant in southern China.

Nine of the workers at a Shenzen plant where iPhones and other hi-tech kit is assembled have killed themselves this year, with a further two unsuccessful suicide attempts. In a satirical response, Foxconn’shuman resources site was hacked with a spoof ‘We’re Hiring’ notice.

A translation of the Chinese-language defacement by Shanghaiist reads:

Foxconn — We’re Hiring

Are you feeling down today? Do you feel like not living anymore? Do you want to know what it feels like to jump down from China’s model suicide jumping facility? Foxconn provides you the perfect environment to jump.

All the many reasons to jump here have ensured at least one jump per week.

Comprehensive press coverage guaranteed. to ensure your name travels ten thousand miles.

What are you waiting for? Pick up your phone now and join Foxconn.

Be the kickass twelfth jumper.

You can do it.

Hiring hotline: 514514514

The number “514″ that is repeated three times in the “hiring hotline” sounds like the Chinese for “I want to die”, Shanghaiist (via fastcompany.com) adds. The defacement itself was not on the home page of Foxconn’s site.

It’s unclear who tampered with the site, much less how they posted the spoof notice but it’s safe to say that the hack was much more subtle and sophisticated than the great majority of defacements. The site runs IIS 5 on a Windows 2000 platform.

Meanwhile, back in the real world, the head of Foxconn hosted international journalists on a tour of the controversial Shenzen facility where 300,000 live and work on Tuesday as part of a bid to assuage suspicions that workers at the factory are being ill-treated. Attempts to paint the facility in a favourable light have not been helped by local reports that workers are getting asked to sign promises not to kill themselves or that the firm has placed safety nets around high buildings in order to prevent staff jumping to their deaths, the BBC reports.

Apple, Dell and Hewlett-Packard all said they were investigating working conditions at Foxconn, the Financial Times adds.

Credit: The Register

Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.

The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.

A third file — which includes what appear to be Internet addresses assigned to the various Carders.cc users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file — which is accompanied by an ASCII art picture of a cat — includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group.

Ironically, the anonymous authors of the e-zine said they were able to compromise the criminal forum because its operators had been sloppy with security. Specifically, they claimed, the curators of Carders.cc had set insecure filesystem permissions on the Web server, which essentially turned what might have been a minor site break-in into a total database compromise. From the e-zine’s opening salvo:

Many of you guys may have noticed this breeding German “underground” shit called carders.cc. For those who don’t: Carders is a marketplace full of everything that is illegal and bad. Carding, fraud, drugs, weapons and tons of kiddies. They used to be only a small forum, but after we erased 1337-crew they got more power. The rats left the sinking ship. The voices told us to own them since carders is our fault and we had to fix our flaw. So we did.

During the ownage they also gave us lulz by showing off their ridiculous configuration skills which had a specific impact on their security. They actually managed to chmod and chown nearly everything to 777 and www-user readable. Including their /root directory.

On the surface, it’s tempting to grin at the misfortune of these fraudsters. Still, the leaked database contains no small amount of password and banking information for many innocent victims. In addition, these types of vigilante attacks typically come with hidden costs: For one thing, while it may be true that law enforcement officials could use some of this information to locate people engaged in computer trespass, and buying or selling stolen personal and financial data, the public release of this information could just as easily prompt those individuals to abandon those accounts and Internet addresses, and even potentially jeopardize ongoing investigations.

Credit: KrebsOnSecurity.com